telecommunication and security lab. dept. of industrial engineering
DESCRIPTION
An Effective Placement of Detection Systems for Distributed Attack Detection in Large Scale Networks. Seok Bong Jeong. Telecommunication and Security LAB. Dept. of Industrial Engineering. Contents. I. Introduction II. Placement of Distributed Detection Systems - PowerPoint PPT PresentationTRANSCRIPT
An Effective Placement of Detection Systems for Distributed Attack Detection in Large Scale Networks
Telecommunication and Security LAB.Dept. of Industrial Engineering
Seok Bong Jeong
2 통신시스템인터넷보안연구실
I. Introduction
II. Placement of Distributed Detection Systems
• Objectives for DDS placement
• DS placement problem
III. Numerical Results
IV. Conclusions
Contents
3 통신시스템인터넷보안연구실
I. Introduction (1)
▣ The Internet infrastructure is highly vulnerable to distributed attacks (DDoS attacks and flash crowds)
▣ DDoS attacks◈ DDoS attacks do not rely on particular network protocols or system weaknesses. ◈ DDoS attacks simply exploit the huge resource asymmetry between the Internet and the victim.
▣ Flash crowds◈ FCs occur when a large number of users try to access the same server simultaneously. ◈ FCs overload the network links, routers, and server itself.
Sun
Sun
ULTRA 2
Sun
Sun
ULTRA 2
Sun
Sun
ULTRA 2
Sun
Sun
ULTRA 2
14 7 2
1 4 7 2
14 7 2
14 7 2
attacker
Agents (daemon or zombies)
Masters (handlers)
victim
DDoS Attacks
4 통신시스템인터넷보안연구실
I. Introduction (2)
▣ Several approaches to defend against distributed attacks◈ EMERALD, GrIDS, JAM, JiNao, AAFID
▣ Challenging tasks to design an effective and deployable DDS◈ A variety of algorithmic and engineering design issues
◈ What is the minimum number of DSs required?
◈ Optimal placement of DSs
▣ Objectives of this paper◈ We focus on the placement problem of DSs across large scale networks for distributed intrusion
detection approaches.
◈ Minimize the overall number of DSs
◈ Limiting possible nodes that can be participate in an attack
5 통신시스템인터넷보안연구실
II. Objectives for DDS placement
▣ Assumption◈ All attack traffic passing through sensor nodes that perform DS are detected ◈ Routing is performed by the shortest path between two nodes ◈ DSs are placed in nodes 3, 4, and 7
▣ Possible Attack nodes to node i, A(i)◈ A(1) = {node 2}◈ A(5) = {node 0, node 6, node 8, node 9}◈ Node 1 is more robust than node 5
1
2
4
53
0
6 7
8
9
1
2
4
53
0
6 7
8
9
6 통신시스템인터넷보안연구실
II. Objectives for DDS placement
▣ DDS placement issues◈ It is impossible to implement DSs in all nodes in a network
◈ Most distributed attacks (e.g. DDoS attack) become critical threats when a great number of nodes (e.g. servers or hosts) participate in an attack
◈ Thus, if we place DDSs across the network in a well distributed manner, the impact of attacks can be sufficiently localized and minimized and can thus be ignored.
▣ Key Objectives of placing DSs◈ Minimize the total number of the DSs
◈ Minimize the number of nodes that could send the attack packets to any other nodes that are separated by more than the given number of hops without passing through sensors
◈ Find the optimal placement of the DSs
7 통신시스템인터넷보안연구실
III. DS placement problem (DSPP) – (1)
▣ Notations◈ G = (V, E) : an undirected graph representing Internet topology
– Each node in V can be interpreted as a router or an autonomous system
◈ T : a subset of nodes where intrusion detection is performed
◈ : the coverage ratio.
◈ : be the localization factor
◈ : the number of nodes that are more than hops apart from node and can send attack packets to node without passing through DSs.
– :every attack can be localized to within a small set of candidate nodes with a distance of less than r hops from node
– . :all attack packets destined to node i are detected because all traffic destined to node i must pass through at least one DS
◈ (DSPP1)
| | / | |T Vr
( )ic r r
( ) = 0ic r
(1) 0ic
min
0 for i
T
c r i V
8 통신시스템인터넷보안연구실
III. DS placement problem (DSPP) – (2)
▣ Notations◈ : be the decision variable, which is 1 if node i performs DS and 0 otherwise
◈ : be the subset of , which is composed of the edges that connect the nodes that perform DS.
◈ : the distance between node i and j
◈ : if the distance between node i and j is more than r, and 0 elsewhere in G`
▣ DSPP2
where
min
=0 for
0,1 for
ii
ijj
i
x
c i V
x i V
ix
eT
,d i j
ijc
\ , \ eV V T E E T
9 통신시스템인터넷보안연구실
III. DS placement problem (DSPP) – (3)
▣ Set packing problem◈ is a packing with respect to if for all .
◈ Each packing is composed of nodes that are not DS nodes
◈ The maximum value of for all nodes in a packing should be less than r
◈ is the decision variable, which is 1 if the index j of is included in the set packing F, and 0 otherwise
◈ Let be the coefficient, which is 1 if the node i is included in , and 0 otherwise.
▣ (DSPP3)
F N V j kV V , ,j k F j k
,d i j , ki j V
jxjV
ija jV
max ij ji V j N
a x
1 for ij jj N
a x i V
( , ) 1 for , , , j jd i k x r i k V i k j N
2 ( , ) for , , , , j l j lx x d i k i V k V j l j l N
nx B
10 통신시스템인터넷보안연구실
III. DS placement problem (DSPP) – (4)
Step 1: Set 1i and 1 1 1, ,G V E G V E . DS .
Step 2: Search a node j that has the minimum number of edges in ,i i iG V E .
iV j . iE . iDS . 0id .
Step 2.1: Search a node j that has the minimum number of edges in the nodes such
that , iij V j V , . . ,ik V s t e j k E .
Step 2.1.1: If there is not such a node then proceed to 3.
Step 2.2: , . . , ,i i iE E e j k k s t e j k E k V .
Step 2.3: i iV V j .
Step 2.4: Calculate the maximum value of distances id in ,i iG V E .
Step 2.5: if 1id r then proceed to 2.1, else proceed to 3
Step 3: , , , . . i ii i i iDS DS k k V k V e k l E s t l V .
Step 3.1: , , . . , , , ii i i iE E e j k j k s t j DS k V e j k E
Step 3.2: i i iV V DS .
Step 3.3: , , . . , , , ,i ii i i iE E e j k j k s t j V j V k DS e j k E
Step 3.4: 1 \i iiV V V , 1 \i i
iE E E .
Step 3.5: If 1iV is empty then proceed to 4, else 1i i and proceed to 2.
Step 4: iDS DS . Terminate.
11 통신시스템인터넷보안연구실
V. Numerical Results (1)
1
2
3
4
5
67
8
9
10
11
12
ㅊ
1
2
3
4 5
67
8 9
10
11 12
13
14
1 2 3 4 5 6
7 8 9 10 1112
13 14 15 1617 36
3738
18
19
2021
22 23
24 25
26
2728
29 30
3132
33
34
35
(a) (b)
(c)
1
2
3
4
5
67
8
9
10
11
12
ㅊ
1
2
3
4 5
67
8 9
10
11 12
13
14
1 2 3 4 5 6
7 8 9 10 1112
13 14 15 1617 36
3738
18
19
2021
22 23
24 25
26
2728
29 30
3132
33
34
35
(a) (b)
(c)
12 통신시스템인터넷보안연구실
V. Numerical Results (2)
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
1 2 3 4 5 6 7
proposed schemeCPS
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
1 2 3 4 5 6 7
proposed schemeCPS
(a)
(b)
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
1 2 3 4 5 6 7 8
proposed schemeCPS
(c)
r
r r
13 통신시스템인터넷보안연구실
Conclusions
▣ We have presented a DSs placement approach in order to detect distributed attacks.
▣ Perfect detection is difficult to achieve in the Internet environment while maintaining sparse coverage. However, this is mitigated by the fact that attack traffic that can escape the DS can be localized within r hops.
▣ Our scheme reduces the total number of DSs while localizing attack candidate sources